What I'm trying to do is create a persistent link on my buffalo router(wg0 interface) to a Wireguard server that I control. The Wireguard server is also on my local network but is exposed remotely via DDNS and port forwarding.
Here's what my network looks like:
Spectrum ISP -> Orbi router serving out static and dhcp address.
Buffalo router has a static address on this network and is connected via ethernet cable to Orbi.
Raspberry PI running static IP and Wireguard server on port 51820 and also connected via ethernet cable.
Before I monkey with the firewall configs at all, internet access connecting directly to the buffalo router works fine...until I add the following line:
uci set network.wgserver.route_allowed_ips="1"
That breaks any outside connectivity. Don't know enough about this stuff to know why.
I believe I have successfully created the interface and suspect I need some further configuration with the firewall and forwarding. My ultimate goal will be to create a forwarding rule to route some IP clients over the VPN and some over the unencrypted link. For now, I just want to see traffic flowing through the VPN. Here are my network and firewall config files.
firewall:
firewall.defaults[0]=defaults
firewall.defaults[0].input='ACCEPT'
firewall.defaults[0].output='ACCEPT'
firewall.defaults[0].forward='REJECT'
firewall.defaults[0].synflood_protect='1'
firewall.lan=zone
firewall.lan.name='lan'
firewall.lan.network='lan'
firewall.lan.input='ACCEPT'
firewall.lan.output='ACCEPT'
firewall.lan.forward='ACCEPT'
firewall.wan=zone
firewall.wan.name='wan'
firewall.wan.network='wan' 'wan6' 'wg0'
firewall.wan.output='ACCEPT'
firewall.wan.masq='1'
firewall.wan.mtu_fix='1'
firewall.wan.input='ACCEPT'
firewall.wan.forward='ACCEPT'
firewall.rule[0]=rule
firewall.rule[0].name='Allow-DHCP-Renew'
firewall.rule[0].src='wan'
firewall.rule[0].proto='udp'
firewall.rule[0].dest_port='68'
firewall.rule[0].target='ACCEPT'
firewall.rule[0].family='ipv4'
firewall.rule[1]=rule
firewall.rule[1].name='Allow-Ping'
firewall.rule[1].src='wan'
firewall.rule[1].proto='icmp'
firewall.rule[1].icmp_type='echo-request'
firewall.rule[1].family='ipv4'
firewall.rule[1].target='ACCEPT'
firewall.rule[2]=rule
firewall.rule[2].name='Allow-IGMP'
firewall.rule[2].src='wan'
firewall.rule[2].proto='igmp'
firewall.rule[2].family='ipv4'
firewall.rule[2].target='ACCEPT'
firewall.rule[3]=rule
firewall.rule[3].name='Allow-DHCPv6'
firewall.rule[3].src='wan'
firewall.rule[3].proto='udp'
firewall.rule[3].src_ip='fc00::/6'
firewall.rule[3].dest_ip='fc00::/6'
firewall.rule[3].dest_port='546'
firewall.rule[3].family='ipv6'
firewall.rule[3].target='ACCEPT'
firewall.rule[4]=rule
firewall.rule[4].name='Allow-MLD'
firewall.rule[4].src='wan'
firewall.rule[4].proto='icmp'
firewall.rule[4].src_ip='fe80::/10'
firewall.rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.rule[4].family='ipv6'
firewall.rule[4].target='ACCEPT'
firewall.rule[5]=rule
firewall.rule[5].name='Allow-ICMPv6-Input'
firewall.rule[5].src='wan'
firewall.rule[5].proto='icmp'
firewall.rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.rule[5].limit='1000/sec'
firewall.rule[5].family='ipv6'
firewall.rule[5].target='ACCEPT'
firewall.rule[6]=rule
firewall.rule[6].name='Allow-ICMPv6-Forward'
firewall.rule[6].src='wan'
firewall.rule[6].dest='*'
firewall.rule[6].proto='icmp'
firewall.rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.rule[6].limit='1000/sec'
firewall.rule[6].family='ipv6'
firewall.rule[6].target='ACCEPT'
firewall.rule[7]=rule
firewall.rule[7].name='Allow-IPSec-ESP'
firewall.rule[7].src='wan'
firewall.rule[7].dest='lan'
firewall.rule[7].proto='esp'
firewall.rule[7].target='ACCEPT'
firewall.rule[8]=rule
firewall.rule[8].name='Allow-ISAKMP'
firewall.rule[8].src='wan'
firewall.rule[8].dest='lan'
firewall.rule[8].dest_port='500'
firewall.rule[8].proto='udp'
firewall.rule[8].target='ACCEPT'
firewall.include[0]=include
firewall.include[0].path='/etc/firewall.user'
firewall.zone[2]=zone
firewall.zone[2].input='ACCEPT'
firewall.zone[2].forward='REJECT'
firewall.zone[2].name='WGZONE'
firewall.zone[2].output='ACCEPT'
network:
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd55:f2f8:e3a8::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.switch[0]=switch
network.switch[0].name='switch0'
network.switch[0].reset='1'
network.switch[0].enable_vlan='1'
network.switch_vlan[0]=switch_vlan
network.switch_vlan[0].device='switch0'
network.switch_vlan[0].vlan='1'
network.switch_vlan[0].ports='1 3 4 5 0t'
network.switch_vlan[1]=switch_vlan
network.switch_vlan[1].device='switch0'
network.switch_vlan[1].vlan='2'
network.switch_vlan[1].ports='2 0t'
network.wg0=interface
network.wg0.proto='wireguard'
network.wg0.private_key=<private key>
network.wg0.addresses='192.168.9.2/24'
network.wgserver=wireguard_wg0
network.wgserver.public_key=<server public key>
network.wgserver.endpoint_host=<wg server host>
network.wgserver.endpoint_port='51820'
network.wgserver.persistent_keepalive='25'
network.wgserver.allowed_ips='0.0.0.0/0' '::/0'
Thank you all for your time and expertise. I'm eager to learn this stuff in more detail. Also, several of those lines should obviously have "@" in them. But since I'm a new user, it won't let me post with those as it thinks I'm tagging a user.